In large scale, distributed, client/server applications, the server can service hundreds, if not thousands, of simultaneous requests from various clients. In many of these applications, the servers use the lightweight directory access protocol (LDAP) enabled. LDAP is a protocol that has been developed to query and modify directory services running over the Internet.
Client/server applications use LDAP to get authentication and authorization from a separate identity management system using the LDAP protocol. For example, the separate identity management system could be a single LDAP directory or several LDAP directories stored on an OpenLDAP, eDirectory, or Active Directory server.
In an LDAP environment, there is a server hosting a client/server application, and an LDAP server storing a data set used by the client/server application. The server hosting the application is considered an LDAP client, usually authenticating as a proxy and retrieving various details about its clients identities and their authorization permissions.
The LDAP client applications can be very aggressive, and can generate significant load to a LDAP server and create high utilization on that server. One way to avoid this burden on the server is to cache a subset of LDAP server data on the client. By caching a subset of LDAP server data, the LDAP client does not need to contact the LDAP server every time the data is referenced. Where there are several LDAP client applications, reducing the number of times a client application queries the LDAP server improves the time spent responding to the queries.
For example, as a client logs into an application using a user name and password, the LDAP client can submit the user name and password to the LDAP server for authentication. Then, if the authentication succeeds, the LDAP client can cache the user name and password to be used the next time the client logs into the application.
However, caching a subset of LDAP server data on the client introduces other problems. For example, data in the cache can become stale. A user name and password combination can be changed in the data set on the LDAP server after being cached on the LDAP client. In situations where security is especially important, stale cache of LDAP server data is unacceptable.
Accordingly, a need exists to update cache on a LDAP client to minimize the load to the LDAP server as changes are made to the data on the LDAP, frequently enough to limit the problem of stale data on the LDAP client.